4/24/2010 




DATA. COMPUTING and INFORMATION 




Too many secrets? 



== I «! ■ !■ ! ■ iij " 1 1! !Si c: \ ~ J 






Introduction 



■ This unit look at the consequences of computing and 
networking technologies from two points of view: 

How they affect privacy. 

How they affect the ownership of information and intellectual 
property rights. 

■ The application of technology involves a number of 
interacting areas of human concern: ethics, moral 
principle, politics, political systems and law. 

Ethics and moral principles will be discussed at greater length in 
Unit 16. 

This unit is concerned primarily with the political and legal 
aspects. 






■I I ■ V I -■ I hi ieBB c: I = 3—1 I art " 



1 









4/24/2010 



Introduction 



The role of law 

Everyone has a set of principles : ideas about what 
constitutes right or wrong behavior. 

These principles arise out of social conditioning in our childhood. 
This conditioning could in turn be based on religious beliefs 
and/or life practices. 

■ Morality is about the degree of conformity to a set of 
principles that determine ‘rightness’. 

■ Ethics is about choosing between behaviour that is 
morally ‘right’ and that which is morally ‘wrong’. 



zz I «! ■ !■ ! ■ ij " 1 1! !il c: \ n\»Z\ 



n 



■■■: 

The role of law 

■ Political systems are also based on principles. 

■ In most societies, the legal system supports the predominant 
moral principles. 

■ However, even within a single culture there are tensions 
between different moral principles, and these may be 
reflected in the culture’s legal system. 

■ Early users of the internet viewed it as a forum where 
anything could be said, (disagreements / flaming). 

■ Now, the user community began to feel that the entirely free 
exchange of views was in some ways harmful. 

■ Further, governments began seeking to regulate websites 
which contained material that would be illegal. 





Introduction 



2 




4/24/2010 



How private is private? 

This section aims to: 

Explain privacy and surveillance; 

■ Show how much information is known about us; 

■ Show how organizations communicate with us 
through data and transaction processing. 



M IsPfainiamsiasigB] 1 



How private is private? 

Privacy and surveillance 

People typically think of privacy in terms of: the 
separation of information from public interest. 

■ Felix Stalder (2002) argues that the concept of privacy 
might be better defined in terms of access to information 
and its fair use . 

The flip side of privacy is surveillance : Observation of 
individuals for the purpose of influencing, modifying or 
controlling their behavior. 



■I I ■ V I -■ I hi ieBB c: I = 3—1 I mm “ 



3 



4/24/2010 



How private is private? 

What might be known about us 

■ There are many things about us which, to varying degrees, in 
the past, were more ‘private’. 

For instance, in a largely cash economy, what one bought or sold would 
only be known to those who witnessed the sale or would be stored on 
paper records such as bills of sale or invoices. 

Writing and storing these was laborious (difficult). 

■ Now we depend upon third parties to record such things: the 
credit card company, the bank, the seller’s company. 

The data is collected by many anonymous hands. 

Any of these organizations will hold considerably more information than 
was the case in the pre-digital past. 

A credit card company will record details of your purchases, the method 
you use to pay, how much you owe and to whom, who employs you, 
what your income is, and so on. 



zz I «! ■ !■ I ■ lij " 1 1! !il c: \ n\»Z\ 



n 



How private is private? 

Daily business: transactions and agents 

Daily life is now largely conducted through transactions : the 
brief and frequently remote exchange of data to accomplish 
some goal such as purchase or sale, transfer of funds, making a 
booking and so on. 

■ Transactions can be: 

between an individual and commercial organizations such as a 
bank, airline, car rental company or retailer, 
between an individual and government departments, 
organization-to-organization transactions, (will not be discussed) 

■ Data and transaction processing form the life-blood of large 
organizations (and even small and medium-sized enterprises) 
everywhere. 

■ Face-to-face transactions now form a smaller part of our lives 
than ever before. 





4 



4/24/2010 



How private is private? 

■ We have lost much of our privacy as an inevitable side-effect 
of the way technology enables organizations to gather, store, 
copy and disseminate data about us. 

■ Some examples include the following: 

If you use a credit card or withdraw money from an ATM, the details of 
the transaction: the amount, the time, and the location are all recorded. 

If you carry a mobile phone, while switched on it is in constant 
communication with the base stations informing them of your location. 
This could be recorded or used ‘real time’ to track your movements. 

The loyalty cards issued by retailers are used to generate information 
about you. Each time your card is swiped, data about the transaction is 
stored on a database. 

If you connect to the internet, your ISP keeps a record of the time and 
location of your connection. UK ISPs are required to keep records of 
email subject lines and the URIs of the web pages you have visited. 



zz I «! ■ !■ I ■ lij " 1 1! !il c: \ 



SJ 



Invading privacy 

■ You briefly studied spam in Unit 14 from the 
point of view of security. 

■ This section aims to: 

Look at spam as an invasion of privacy issue; 

Explain how cookies work; 

Discuss how even encryption is no guarantee of 
privacy. 



=: I m I ■ IB I 



■I I ■ i I - I hi mm c: l : 1 I ■■ “! 




5 



4/24/2010 



Invading privacy 

Spam: invading your email 

Spam is ‘junk’ email that is sent automatically to 
thousands and thousands of recipients at once. 

■ Spam is sometimes referred to as unsolicited 
commercial email or UCE. 

Note that if you subscribe to a service that sends email 
notices of new products or a regular newsletter, whether 
or not these emails irritate you, they are not spam. 

You have, whether or not you realize it, solicited them by 
subscribing to the service. 

Most such services operate some form of privacy policy : it pays 
to read this before agreeing to subscribe. 

Privacy policy : A policy stating how an organization intends to 
use the information it holds about you. 





Invading privacy 

Why is spam any more of a problem than unsolicited 
mail? What is marketed using spam? According to one 
website, the most common uses of spam are for: 

So-called low-cost loans or other forms of credit. 

Schemes purporting to make money quickly. 

Health products and remedies. 

Illegally pirated software. 

Offering shares in unknown start-up corporations. 

Offers of software for collecting e-mail addresses and sending 
spam. 






33III 



6 



4/24/2010 



Invading privacy 

What spam can cost 

■ Spam is a cheap way to reach thousands of potential 
customers. 

■ The main costs of spam are: 

connect time to collect the email by recipient; 

loads on ISPs that effectively reduce their capacity to provide the 

services that they offer; 

costs of filtering out the spam. 

■ Spam filters are software to eliminate obvious spam. 

■ The filtering consumes resources, so few ISPs provide it. 



" | « 1 ■ ;■ ] 1111" 1 1! Si c: ! = 3 — | .7 | 



SJ 



Invading privacy 

The recipient 

The majority of recipients don’t want to receive spam. As 
a result, spammers trick the recipient into opening their 
messages. Common tricks are to: 

Make the subject line look as if it is not an advertisement or else 
ensure the subject line does not trigger a spam filter (common 
ways are to put spaces between each letter, use a familiar 
greeting such as ‘Hi!’ or use the recipient’s name, as in 
‘Especially for you, John’); 

Disguise the origin of messages, for example by relaying them 
through the mail server of an innocent third party (frequently this 
results in a flood of complaints to the innocent party); 

Forge the headers of messages, making it appear as though the 
message originated elsewhere. 






■I I ■ V I -■ I hi ieBB c: I = 3—1 I art " 



7 



4/24/2010 



Invading privacy 

Cookies: not necessarily a treat 

Cookies are small text files exchanged between a web server and 
client program, designed to permit the customization of web 
information. 

Cookies can be used to store information such as the user’s name, 
items they have purchased and so on. 

Cookies are based on a two-stage process : 

1. The cookie is generated by a web server, included in HTML 
information sent to the client program (usually the browser), and 
stored in the user’s computer. 

2. During the second stage, when the user directs the browser to 
display a certain page from the server, the browser will, without the 
user knowing, transmit a copy of the cookie containing personal 
information to the web server, which then uses it. 

Figure 3.1 illustrates this process. 



" | « 1 ■ ;■ ] 1111" 1 1! Si c: ! | j 



SJ 



Invading privacy 



Hello and welcome to 
the imaginary Internet 
Bookstore. 

What is vour name? 

| Bob | 



Enter the store 



CLIENT 

(User) 




SERVER 

(Bookstore) 




CLIENT 

(User) 



SERVER 

(Bookstore) 




Hello Bob, nice to see 
you back at the 
Imaginary Internet 
Bookstore. Let's go 
shopping! 



Enter the store 



(a) The process starts when 'Bob' gives 
his name during his first visit. The 
web server sends the cookie with 
Bob's name back to his computer, 
where it is kept 



(b) When 'Bob' next visits the website, 
the web server asks Bob's browser for 
the cookie. When it gets this back, it 
can place his name in the greeting 
message 



Figure 3.1 The exchange of cookies. When Bob visits the website again, the web 
server can 'greet' him a s thou gh he were anojd friend 



8 







4/24/2010 



Invading privacy 

Are cookies all bad? 

■ On a first visit to a given site, a user may be asked for a 
name and perhaps a password or some personal 
information to gain access to that site again in the future. 

■ The site then creates a cookie containing this 
information, stores it on the user’s system and when the 
user next returns to the website it will request the cookie 
to determine who you are and whether you have 
authorization. 

■ A site will only have information that you have entered, 
so if you use a site frequently, it may be quite reasonable 
to store a cookie for it. 





Invading privacy 



■ The exchange of cookies is done without a user’s 
knowledge. However, cookies cannot harm your 
computer or pass on private information to third parties. 

■ Cookies were designed to allow the personalization of 
information and as a simple mechanism to make it easier 
for users to access websites without having to go 
through a lengthy process of identifying themselves 
every time they repeat a visit. 

■ They can be misused to gather information for direct 
marketing. 

■ What can a user do about receiving cookies? 

A user can set browser preferences to filter or reject cookies or 
can use browser facilities to manage the cookie list. 



■I I ■ V I -■ I hi ibM c: I = 3—1 I art " 



■ 



9 



4/24/2010 



Invading privacy 

Behind the scenes: Data Flows 

■ Data flow refers to the gathering of information from 
different sources, combining, manipulating and (often) 
passing it on to others, usually in the interests of 
commercial activities. 

■ Much of the data flow activity begins when online 
companies obtain names and email addresses of people 
who visit their websites. 

■ This is then associated with a cookie that records 
various activities that the user carries out online during 
that and subsequent sessions. 



zz I «! ■ !■ ! ■ ij " 1 1! !il c: \ n\»Z\ 



n 



Invading privacy 

Keeping things private 

■ It is possible to preserve privacy, even where a network is 
under attack, by using encryption. 

■ Business-to-business and sensitive business-to-customer 
transactions (such as those involving banking, fund transfers 
and credit cards) benefit from encryption and this is usually 
provided by means of secure servers. 

■ People exchanging information they consider private, e.g. 
through emails, may also want to use encryption. In offering 
this form of protection, encryption provides benefits. 

■ However, encryption could also allow criminals and terrorists 
to coordinate plans and the execution of their crimes with the 
same level of protection! 

unwanted disadvantage of encryption. 





10 



4/24/2010 



Invading privacy 

A novel solution 

■ The American government has recognized that both the 
pro-encryption and anti-encryption camps have valid 
viewpoints: while individuals have a right to privacy, and 
financial information that can be ‘stolen’ must be 
guarded, modern crime fighting may require that law- 
enforcement organizations are able to read encrypted 
materials. 

■ The United States Government chose a novel form of 
encryption known as a trusted third party . 

■ Tusted third party (escrow agency) : an agency trusted 
by all other parties to a transaction, which can hold 
valuables in trust for exchange. 

I Egmag EB lual I 



Invading privacy 

If you buy an item using a credit card, the card company acts as the 
trusted third party . 

You entrust the credit card company to pay the merchant for the 
goods while the merchant trusts the card company to have the 
resources to pay for the item. 

■ Trusted third parties could be set up to hold encryption keys. 

This contrasts with the original public-private key method discussed in 
Unit 14. Here, private keys are stored with a trusted third party (the 
escrow agency) - no public keys are involved . 

■ Under normal circumstances a private key is only accessible to the 
holder. 

However, the key could be released to police or intelligence 
agencies if they needed it for an investigation. 

The process of handing a key to a trusted third party is known as 

key escrow . 

The key itself is said to be in escrow . 



11 



4/24/2010 



Invading privacy 

The Clipper chip 

A proposed compromise between personal privacy and the need for 
intelligence was the Clipper chip , a specially designed 
microprocessor which would be built into telephones, modems and 
the like. 

In normal use, it would ensure the privacy of any two parties sending 
and receiving a message. 

However, in the event of suspected criminal activities, Clipper 
provided a method for government agencies to decrypt encrypted 
messages. 

The encryption to be distributed on the Clipper chip contained three 
pieces of identification: 

An 80-bit unit key unique to each Clipper chip. 

2. A family key common to all Clipper chips. 

3. A unique serial number. 





Invading privacy 

■ Clipper was a key escrow encryption system since copies of the unit 
keys would be held in escrow. 

The unit key would be divided into two parts and sent to two escrow 
agencies : one part to the United States Treasury and the other part 
to the National Institute of Science and Technology (NIST). 

■ In normal use, only the device’s user would have access to the full 
unit key. 

■ Clipper was intended to be used in a wide range of domestic 
communications devices and therefore the entire process of 
encryption and decryption would appear to be seamless to the user 
(indeed they might not be aware that they were using an encryption 
system). It would all happen ‘invisibly’, neither sender nor recipient 
being required to do anything. 

■ Figures 3.2 to 3.8 illustrate the encryption process used with Clipper. 





12 



4/24/2010 



Invading privacy 



66 

L 


i. 6 


i6 

g 


1 

1 


Figure 3.2 


661 

Q 

□ 


a e 

1 j 


h66 

B 


1 1 



Figure 3.2 

When two devices fitted with Clipper chips 
communicate with one another, they first 
negotiate an 80-bit session key unique to 
that communication session, i.e. it is a one- 
time key. 

■ The sender’s machine (on the left) and the 
recipient’s machine agree on a shared 
session key (shown in purple). This diagram 
also shows that the two machines share a 
family key (shown in grey), but have their 
own unique unit keys (in blue and red 
respectively) 

Figure 3.2 

A copy of the session key now exists on 
both computers 



Figure 3.3 



zz [ «! ■ !■ ! ■ ij " 1 1! !il c: \ n\»Z\ 



SJ 



Invading privacy 



ra 666 

Mn 


aaa 
- □ 


WB 


u 


Figure 3.4 


a fifia 

An 


666 

-□ 




U 


Figure 3.5 







Figure 3.4 

The sender’s computer now encrypts the 
message using the session key. 



Figure 3.5 

Next, the sender’s Clipper chip encrypts 
the one-time session key with that chip’s 
unit key. 



■ 



13 




4 / 24/2010 



Invading privacy 



/®\ fi n 


666 
— □ 


0 

!□ 

© 


u 

Figure 3.6 



666 


666 


y 

□© 


I* ' 

LJ Figure 3.7 




m 


n*i 

n M 




gtK 

Figure 3.8 



Figure 3.6 

Some additional information is added to 
the encrypted session key and the whole 
encrypted with the family key to create a 
piece of information known as the law 
enforcement access field (LEAF). 

The sender’s computer is now ready to 
transmit the encrypted message 

Figure 3.7 

The sender’s computer now transmits the 
encrypted message and the LEAF. 

The encrypted message is received by 
the distant computer. In normal use the 
LEAF is discarded. 

Figure 3.8 

The recipient’s Clipper chip decrypts the 
data using its own copy of the session 
key. The session key is discarded. 



■ HE 









I hi M 



lx: l :zV 



i i 



SJ 



Invading privacy 

Access to Clipper encrypted messages 





Figure 3.9 

Under normal circumstances the LEAF 
would simply be discarded - it is of no use 
to the two participants. 

However, if an authorized organization had 
an eavesdropping device in operation, it 
would be able to obtain the encrypted 
message and the LEAF. 

The LEAF was encrypted using the family 
key, which is common to all Clipper chips. 

Figure 3.10 

Therefore the agents would be able to use 
their own copy of the family key (shown in 
grey) to decrypt the LEAF, which contains 
the session key needed to read the 
message. 

But that key would still be encrypted with 
the sender’s unit key. 



■ ■■E 



■I I ■ i I - I hi rnm c: \ .7 I m* -- 



■ 



14 




4/24/2010 



Invading privacy 



ft 

i i t 


ft 

fm] 


Figure 3.11 ( 






66 

[FBI 


r 


Figure 3.12 




Figure 3.11 

In order to read the message, the agents would 
have to obtain copies of the unit key from the 
escrow agencies. 

This requires that the agents satisfy a judge that 
there is a case for releasing the keys. 

If granted, the two escrow bodies would release 
their halves of the unit key. 

■ The unit key is then reassembled on the 
investigator’s computer. 

Figure 3.12 

The completed unit key is then used to decrypt 
the session key. 

Figure 3.11 

Finally, the decrypted session key is used to 
decrypt the original document. 



!■ 






I hi M 



1— Lliall 



i i 



n 



Invading privacy 

Problems with key escrow 

Key escrow appears to offer a compromise between individual 
privacy and the necessity for law enforcement bodies to prevent 
potentially criminal activities. 

However, there are three major problems with such systems: 

1 . Who holds the keys? 

Key escrow relies on copies of all private keys being held by an 
escrow agency; clearly any trust in such a system depends on how 
far people will trust the agency. 

2. How are the keys accessed? 

the second potential problem lies with the requirements that must 
be satisfied before the keys are released to the law enforcement 
agents. 

From a law enforcement point of view, the need to obtain a warrant 
from a judge might be seen as slowing the process. 




15 




4/24/2010 



Invading privacy 

Problems with key escrow 

3 How secure is the escrow agency? 

The escrow agency holds copies of every key in circulation; as 
such it becomes a target for anyone wishing to abuse the 
system. 

The agency must not only be protected from external threats 
but also from disgruntled or criminal members of staff who may 
steal keys and misuse them. 






Owning and controlling information 

■ The other side of the coin of privacy is the desire to 
publish. 

The main reasons for publishing information are to: 

Make money, for example by selling what one publishes. 

Further an interest, such as a hobby, by contributing information. 
Advertise one’s products or services. 

Enhance one’s own fame. 

The digital era has made the task of writing text or music 
or creating images or even films easier than ever. 

■ These can then be advertised or distributed via the web. 

However, such developments have also made it easy to 
steal such materials or to make money by buying up 
property such as domain names. 





16 



4/24/2010 



Owning and controlling informatiofl 

This section aims to: 

■ Illustrate the problems associated with what is called 
cyber-squatting (buying up key domain names cheaply, 
then demanding a high price from the ‘natural’ owners of 
the names). 

■ Examine the problem of piracy when information is 
essentially unprotected. 

■ Examine some proposed remedies which use some of 
the technologies discussed in Units 14 and 15. 

■ Illustrate just how important encryption is to every person 
- even if they do not use a computer. 







Owning and controlling information 

Companies are normally very jealous of their brand 
name: they see this as key to establishing and 
maintaining a loyal customer base, to building a 
reputation and for public recognition. 

■ Trade mark : mark, word, phrase or symbol registered as 
belonging to a particular company and protected by law 
from use by others. 

■ Trade marks have to be registered, renewed and 
defended in law - if they are not, then the trade mark is 
deemed to have lapsed (expired) and the term can be 
used by anyone. 



■I I ■ V I -■ I hi ieBB c: I = 3—1 I art -• 



17 



4/24/2010 



Owning and controlling information 



■ The web grew with such speed that many major companies were 
unaware of the value of protecting their corporate and trade mark 
names in a new domain . 

■ Companies often registered the main commercial domain (.com) 
with their name, but omitted to register other similar domains 
such as: .co.uk, .org, .biz or .net. 

■ Some quick-witted individuals practiced what is called cyber- 
squatting . 

■ Cvber-squattinq : the practice of paying to register famous 
names as domain names, and then either selling them to the 
rightful holder or using them for fraud. 

However, courts have tended to take the view that registering a 
trade marked name or brand as a domain constitutes fraud in fact. 
Those who practiced cyber-squatting have found themselves in 
criminal court, charged with fraud, and sentenced accordingly. 



| « i ■ ;■ r ^rm ] bbj —; 1 1; mm c: ! | j 






Owning and controlling information 

Digital piracy 

■ Digital technologies have transformed piracy by removing some of 
the limitations of analogue technologies. 

For instance, digital copies can be as good as the original, whereas analogue 
copies are always of poorer quality than the original. 

The internet also provides the perfect distribution method for pirated information. 
People connect to a website or a file server and download copies directly to their 
hard disks. 

■ One of the few remaining restraints on piracy is the sheer size of 
media files. 

A compact disc (CD) can hold up to 570MB of information and a DVD can hold 
over 4GB! A computer connected to a modem would require many hours, if not 
days, to receive the contents of a CD. 

■ However, this has been overcome with two novel data formats, MP3 
and DivX. 

They allow digital copies - of poorer quality - of a very small size to be made, 
and so transferred quickly over the internet. 





18 



4/24/2010 



Owning and controlling information 

The problem of compact discs 

A compact disc stores music in a digital format by 
sampling the analogue soundtrack into a stream of 
digital bits. 

■ The compact disc standard requires the original 
soundtrack to be sampled 44,100 times per second (this 
is known as the sample rate, written as 44.1 kHz). 

■ Each sample is 2 bytes (16 bits) long. 

■ A separate sample is taken for the right and left 
channels. 

The following exercises demonstrate how much 
information can be stored on a music CD. 





Owning and controlling information 



■ Exercise 1 : How many bits are used to store one second of audio on 
a compact disc? 

■ Solution: 

The sample frequency for a CD is 44,100 samples per second, 
each sample is comprised of 16 bits and one sample is taken for each 
of the stereo channels. 

The answer can be calculated as follows. 44,100 samples per second X 
1 6 bits X 2 channels = 1 ,41 1 ,200 bits. 

Exercise 2: How many bits are there on a full 74-minute compact 
disc? 



■ Solution: 



The answer will be the number of bits recorded in one second 
(calculated in Exercise 1) multiplied by the number of seconds in 74 
minutes. 



There are 74 X 60 = 4,440 seconds in 74 minutes and 1,411,200 
bits/second X 4,440 seconds = 6,265,728,000 bits. 



■I I ■ i I - I hi mm c: 1 : 1 - .7 I m* -- 



■ 



19 



4/24/2010 



Owning and controlling information 



Exercise 3: How many seconds would it take to transmit the number 
of bits in Exercise 4.3 over a conventional modem (running at a 
maximum speed of 56,600 bits per second)? 

■ Solution: 

The answer is the total number of bits on the disc divided by the number 
of bits that can be transmitted in one second. 

6,265,728,000 bits / 56,600 bits per second = 1 10,702 seconds (about 1 
day 6 hours!). 



■ Compression as a solution 

Transferring a 74-minute CD clearly would take a long time using a 
modem. 



The size of the file could be reduced by the use of a lossless 
compression system such as Zip. 

On average such compression can shrink a file to half its original 
size. 



| « i ■ ;■ r rig ] obj—; 1 1; gw c: ! zj — |.,£ | 



di 



Owning and controlling information 

MP3 - the pirate’s friend 

Greater compression can be achieved using lossy algorithms: 
achieve greater compression by discarding some information. 

MP3 is a lossy algorithm that relies on quirks in human hearing to 
help achieve its compression. 

■ The human ear is not equally sensitive to all frequencies of sound, 
therefore the MP3 compression may discard inaudible and less 
audible frequencies without an appreciable loss of quality. 

■ Music on a compact disc can easily be reduced to an MP3 file 
occupying one-tenth of the original size. 

■ MP3 files are better suited to transmission over slow modem links. 

It is simple to convert conventional compact disc music into MP3 
format using a program known as a ripper . 

■ The majority of computer programs capable of playing CD audio 
discs are also able to convert the music into MP3 files. 





20 



4/24/2010 



Owning and controlling information 

■ MP3-encoded music quickly found its way on to the internet. 

■ MP3 files were often given unusual names to disguise their 
contents from music company investigators. 

■ However everything changed with the advent of Napster . 
Napster consisted of a small client program downloaded to 
users’ computers and a powerful central database. 

When someone installed the Napster client on their computer, 
the software searched their hard disk for MP3 files with their 
tags that contain information about the recording artist, the 
album, track names, and so on; 

■ By reading these tags, the Napster client was able to correctly 
identify the music, and send the information back to the 
central Napster database. 



" | « 1 ■ ;■ ] 1111" 1 1! Si c: ! | j 



di 



Owning and controlling information 

■ The Napster server searched through its database of 
registered Napster users, looking for those who had 
copies of the music and compared this with the list of 
Napster users currently online. 

■ The server returned the internet addresses of active 
users to the client, which then displayed their details. 

■ The user could download a copy of the music by clicking 
one of the entries in their client window. 

■ The user’s Napster client program used the remote 
machine’s internet address to establish a direct 
connection to the remote machine’s Napster client. 








21 



4/24/2010 



Owning and controlling information 

Once the connection was established, the music was 
transferred directly between the two machines without 
involving the Napster server . 

■ A user could download a number of pieces of music 
simultaneously. 

At the same time, their computer could well be sending 
music to other Napster users. 

The process was known as file swapping or file sharing . 

Napster provided a form of ‘brokering’ service to people 
willing to exchange music. 

While the Napster people assumed they had circumvented 
the law, their central database was deemed to make them 
accessories to piracy. 



Owning and controlling information 





How Napster Works 



A user sends 
a req uest for 
a song 



Napster checks Its 
data ba se of m usfc 
to see if the song is 
or a PC of another 

Napster user 

elsewhere on 
the Internet 



No music is stored 
on Napster's servers, 
Napster's role is to 
facilitate file sharing 
in what is known as 
a peer-to-peer 
relationship among 

Internet users 

Most music 
files are in the 
popular MP3 
format. 



The song- is sent 
directly to the the 
PC Of the user who 
requested it 



Resource: http://ntrg.cs.tcd.ie/undergrad/4ba2.01/group10/napster.html 

D 



I 



H I ■ i I — I hi Iri 



I c: 1 :z 1 1 

UU 



1 1 itT i sod : 



22 




4/24/2010 



Owning and controlling information 

Peer-to-peer file swapping 

Napster was an example of what is known as a peer-to- 
peer network , where information is exchanged directly 
between individual computers without the need for servers. 

■ Peer-to-peer networks depend on a peer-to-peer program 
running on each of the network’s users’ computers. 

This program catalogues all the files on its host machine 
that are available for sharing and then looks for similar 
peer-to-peer programs and catalogues on the internet. 

When a user searches for a piece of music, their peer-to- 
peer program first contacts a small number of remote peer- 
to-peer programs. 





Owning and controlling information 

Peer-to-peer file swapping 

Q y 

Q y Q 

Figure 4.4 A simple peer-to-peer file-sharing program. For simplicity only Barry's 

peer-to-peer program is shown contacting others running on Mark, Nigella 
and Oliver's computers 




y Q @ y 

^ ® fl 

Figure 4.5 Retrieving files using a peer-to-peer system 



zz\tm\ ■ !■ H I ■ I I — I hi ii 



aEEEEEB ■ [ 



23 



4/24/2010 



Owning and controlling information 



■ These in turn send the request on to the peer-to-peer 
programs they are linked to (referred to as a ‘hop’). 

■ Within a few hops it is possible to search a large number of 
computers for the user’s requested music. 

■ Exercise: If a peer-to-peer program contacts 10 computers 
with each hop, how many computers can it search in just five 
hops? 

■ Solution: 



The first hop gives 10 connections, the second 10 for each of these - 10 
x 10 = 100, the third 10 times as many - 1000, the fourth another 10 
times as many - 10,000, the fifth and last another 10 times as many - 
100,000. 



■ This exercise should show you how a fairly simple idea - 
contacting 10 peers who then each contact 10 - can result in 
very large numbers very quickly. 



i " i « i ■ ii 






ii i ■ 0i i « | hi mm c: \ i -■ | i 



di 



Owning and controlling information 



Peer-to-peer networks are a major problem for media 
producers as they allow rapid propagation of pirated 
materials. (Tracks by major artists have been leaked from 
their recording companies and made available for download 
even before official release.) 

Peer-to-peer networks are more difficult to close down than a 
system such as Napster as there is no central organization to 
deal with. 

While peer-to-peer systems may only seem to be useful for 
piracy they do have some fundamental advantages over 
client-server systems: 

Peer-to-peer systems are less vulnerable (subject) to failure or 
deliberate attack because the distribution of information is such 
that there is no one vulnerable point. The interconnections 
change constantly. 






■I I ■ V I -■ I !■ ieBB c: I = 3—1 I mm " 






24 



4/24/2010 



Owning and controlling information 




Resource: http://www.ibiblio.org/team/intro/search/peer_to_peer1.gif 



zz [ «i ■ !■ ! ■ lij " 1 1! !il c: 1 « |*M 






Owning and controlling information 

Evading control? 

FreeNet allows senders of information to hide their identities, so that 
they cannot be persecuted (annoyed). 

■ FreeNet is a decentralized distributed data store. 

It aims to provide freedom of speech through a peer-to-peer network 
with strong protection of anonymity; as part of supporting its users' 
freedom. 

It allows senders of information to hide their identities. 

■ It resembles the web in that it is composed of sites (known as 
nodes), each of which contains a number of documents. 

■ FreeNet documents cannot be accessed through a web browser. 
Instead, anyone wishing to view FreeNet pages must download and 
install a client program that can search for, recover and read 
FreeNet pages. 

- FreeNet is free and open source software. 




25 



4/24/2010 



Owning and controlling information 

■ FreeNet uses a unique serial number assigned to each 
document: its Global Unique IDentifier (GUID). 

■ When a user requests a FreeNet page, their client searches 
for that document’s GUID. 

■ So FreeNet is not concerned with a document’s physical 
location. FreeNet documents can be moved or copied but 
remain accessible. 

■ A FreeNet node contains both copies of some human- 
readable documents and a table listing other nodes in the 
FreeNet system with the GUIDs it believes to be held on 
those nodes. 

■ This is known as a routing table . 

■ FreeNet offers high levels of security and is robust: many 
nodes would have to fail or be shut down to cripple the 
network.!!!! 





Owning and controlling information 



If a node receives a request for information it first searches 
the documents in its possession looking for the requested 
GUID. 



If it does possess that document, the node returns the 
information to the requester. 

■ If the node does not possess the document, it searches its 
routing table for the GUID in question. 

If the routing table contains a link to that GUID, the node 
forwards the request to the appropriate node in the table. 

If a node’s routing table does not contain an entry for the 
GUID, then the node makes a guess at which node in its 
table is most likely to have a link to the GUID in question. 



The message is passed on to that node, and the process is 
repeated until the information is found. 






■■■ 



26 



4/24/2010 



Owning and controlling information 



nod* name 




Figure 4.6 A simplified diagram of the information held in a FreeNet node. The node 
contains a number of documents, each of which possesses a unique GUID. 
The routing table contains a list of nodes (in this case BABS and CHAS) and 
the documents that this node believes is held on each of them 




Figure 4.7 Node ANDY receives a request for document 0553, which it does not 
possess. ANDY checks its routing table and finds 0553 apparently at a 
node called CHAS so ANDY forwards the request for the document to CHAS. 



zz\iu\ ■ !■ rmm ! B II j « 1 1! mm c: \ zl 



at 



\*?\ 






Owning and controlling information 




Figure 4.8 The node ANDY receives a request for a document it doesn't hold, and 
ANDY'S routing table doesn't contain the GUID for that document. ANDY 
determines that CHAS is most likely to have a reference to the document 
and forwards the request to CHAS. CHAS has a reference to the GUID for 
that document showing that it is held by TONY. The request is then 
forwarded to TONY 







■I I ■ i I - I hi mm c: \ : 1 - .7 I ■■ " 






27 






4/24/2010 



Attempting total control 



■ 



Traditionally a producer’s relationship with a consumer 
ends when the user purchases the product. 

■ When we buy a CD we consider it to be ours to do with 
as we wish. 



■ Whether we play the music, turn the contents into MP3 
files or even use the disc as a coaster, the producer has 
no control how we (mis)use the product. 

■ However, it is now possible to use software to control 
access to a product. 



The manufacturer can specify just how their product is to 
be used; the type of equipment it is compatible with, 
whether it can be copied, altered or even who can use 
the product. 



zz [ tm i ■ ;■ j ■ iij « 1 1! mm c: \ ;ii-; |.^! 






Attempting total control 



■ This section is concerned with the concept of 
Digital Rights Management (DRM). It aims to: 

- Introduce the concept of DRM; 

Show how DRM can protect copyrighted data; 
Demonstrate the weaknesses of DRM systems; 

Illustrate a proposal to use DRM to improve computer 
security; 

Discuss the ethical aspects of the use of DRM. 



■I I ■ V I -■ I hi ieBB c: I = 3—1 I mm “ 



28 



4/24/2010 



Attempting total control 



Digital rights management (DRM) is a concept 
whereby the original publisher of material retains control 
of how that material is accessed. 

■ This control may be systems to prevent a user copying 
material on to a disc or their computer, blocking 
conversion to MP3, or systems that require the user to 
pay each time they access the material. 

■ The rise of MP3 and Napster has encouraged record 
and video companies to investigate techniques capable 
of preventing piracy. 

The most mature technique was the Secure Digital 
Music Initiative (SDMI), developed by a consortium of 
hardware and software manufacturers. 





Attempting total control 



Secure Digital Music Initiative (SDMI) 

To date almost all attempts at controlling the use of 
copyright material have failed because any security was 
restricted to only part of the system. 

■ The Secure Digital Music Initiative (SDMI) is a Digital 
Rights Management System proposed by electronics 
manufacturers and music publishers. 

■ SDMI was an attempt to secure all parts of the music 
market, including the hardware for playing and recording 
music and the recordings themselves. 

■ SDMI was abandoned after the DRM system was found 
to be ineffective. 



1 1 B II 



■I I ■ V I -■ I hi ieBB c: I = 3—1 I art =: 



■ 



29 



4/24/2010 



Attempting total control 



The strategy for the SDMI group involved two stages: 

Firstly to implement a secure digital watermarking 
scheme. 

■ This would allow music to be tagged with a secure 
watermark that was hard to remove from the source 
audio without damaging it. 

■ The second stage was to ensure that SDMI compliant 
players wouldn't play SDMI tagged music that wasn't 
authorized for that device. 

■ The reasoning was that even if the files were distributed 
they couldn't be played as the device would detect the 
music wasn't authorized to be played on it. 



zz [ «! ■ !■ ! ■ ij " 1 1! !il c: \ n\»Z\ 






Attempting total control 



Digital watermarks 

■ A watermark is often used to 
establish the authenticity of paper 
documents. 

■ The mark is impressed into the 
paper during the manufacturing 
process and cannot be altered or 
removed without damaging the 
document. 

■ Banknotes often use a watermark 
that is only revealed when they are 
held up to the light. 




10 pounds banknote with 
watermark of the image of 
the Queen’s portrait. 
(Wikipedia) 



M ■ II 



■I I ■ i I - I hi mm c: J : 1 - .7 I -- 



30 




4/24/2010 



Attempting total control 



Digital watermarks are streams of bits added to 
a file and used to establish its authenticity. 



■ Ideally the watermark is undetectable during 
normal use, but it can be retrieved using 
specialized software. 

SDMI used two watermarks in every file: 

Robust watermark: survive compression, 

decompression, changes in file format and 
copying between devices - even if the machines 
were not themselves SDMI compliant. 

Fragile watermark: would not survive the process 

of being copied, compressed or altered. 

i.e. any copies made from an SDMI master would 

lack the fragile watermark but retain the robust 

watermark. 




An image with visible 
digital watermarking. 
(Wikipedia) 



zz I «! ■ !■ ! ■ ij " 1 1! !il c: \ n\»Z\ 






Attempting total control 



■ Microsoft has added DRM to its Windows Media 
Player, and has proposals to include such features 
in future versions of Microsoft Windows. 

■ The proposals, known as Next-Generation Secure 
Computing Base , NGSCB (formerly known as 
Palladium), would allow software vendors to control 
the way information is processed inside a computer. 

■ The ostensible reason for NGSCB is to increase 
computer security by preventing malicious software 
from infecting computers. 






■i i ■ i i - i hi mm c: \ z 1 - .7 I ■■ " 



31 



4/24/2010 



Attempting total control 



■ Once the operating system has started, the NGSCB 
enforcement system takes control of the computer. 

NGSCB contains a feature that will only allow a 
program to run if it has a corresponding valid digital 
signature. 

If a program does not have a digital signature, NGSCB 
could refuse to execute the program entirely. 

In theory, this could make computing much safer. 

■ The viruses and worms on the internet would not be 
able to obtain a digital signature certificate; therefore 
they could never run on a computer that required 
certification. 



zz [ «! ■ !■ ! ■ ij " 1 1! !il c: \ n\»Z\ 



Hi 



Attempting total control 



■ 



■ However, it is not impossible to imagine a 
corrupt organization issuing NGSCB certificates 
to virus writers or developers of spyware. 

■ Spyware is a type of software that sits in the 
background of your computer and monitors the 
machine and your use of it; it then sends this 
information back to its originators. 

■ This information can then be sold on to software 
development companies and marketing groups. 






33III 



32 



4/24/2010 



Unit Summary 



In this unit, you’ve learned about: 

The nature of privacy and of surveillance and the tensions 
and contradictions that exist between making information 
publicly available and keeping it private. 

Spam (unsolicited commercial emails), the hidden exchange 
of personal information through cookies and the Clipper chip. 
Cyber-squatting which is one form of intellectual property 
appropriation. 

Napster, which provided a form of ‘brokering’ service to 
people willing to exchange music. 

Peer-to-peer networking which has one general advantage: 
robustness. 

The Digital rights management (DRM) which seeks to control 
how users interact with data and is a technical solution to 
copyright infringement. 

The Secure Digital Music Initiative (SDMI) for protecting 
music. 



~ | « i ■ ;■ r; ^|M | Bui;; 1 1; gg c: ! - 3 | .c ! 



II 



33 



